From: Ondřej Surý Date: Wed, 21 Nov 2018 21:21:16 +0000 (+0100) Subject: dnssec system test: Remove RSAMD5 usage and make script shellcheck compliant X-Git-Tag: v9.13.6~110^2~1 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=ca7cadfa92e86e84afa759c6c45dee6177a6e8ba;p=thirdparty%2Fbind9.git dnssec system test: Remove RSAMD5 usage and make script shellcheck compliant --- diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index acfc574c4af..95550bd4b76 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -9,93 +9,93 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed -rm -f */example.bk -rm -f */named.conf -rm -f */named.memstats -rm -f */named.run -rm -f */named.secroots -rm -f */tmp* */*.jnl */*.bk */*.jbk -rm -f */trusted.conf */managed.conf */revoked.conf -rm -f Kexample.* -rm -f canonical?.* -rm -f delv.out* -rm -f delve.out* -rm -f dig.out.* -rm -f dsfromkey.out.* -rm -f keygen.err -rm -f named.secroots.test* -rm -f nosign.before -rm -f ns*/*.nta -rm -f ns*/managed-keys.bind* ns*/*.mkeys* -rm -f ns*/named.lock -rm -f ns1/managed.key.id -rm -f ns1/root.db ns2/example.db ns3/secure.example.db -rm -f ns2/algroll.db -rm -f ns2/badparam.db ns2/badparam.db.bad -rm -f ns2/cdnskey-kskonly.secure.db -rm -f ns2/cdnskey-update.secure.db -rm -f ns2/cdnskey-x.secure.db -rm -f ns2/cdnskey.secure.db -rm -f ns2/cds-auto.secure.db ns2/cds-auto.secure.db.jnl -rm -f ns2/cds-kskonly.secure.db -rm -f ns2/cds-update.secure.db ns2/cds-update.secure.db.jnl -rm -f ns2/cds.secure.db ns2/cds-x.secure.db -rm -f ns2/dlv.db -rm -f ns2/in-addr.arpa.db -rm -f ns2/nsec3chain-test.db -rm -f ns2/private.secure.example.db -rm -f ns2/single-nsec3.db -rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db -rm -f ns3/badds.example.db -rm -f ns3/dname-at-apex-nsec3.example.db -rm -f ns3/dnskey-nsec3-unknown.example.db -rm -f ns3/dnskey-nsec3-unknown.example.db.tmp -rm -f ns3/dnskey-unknown.example.db -rm -f ns3/dnskey-unknown.example.db.tmp -rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl -rm -f ns3/expired.example.db ns3/update-nsec3.example.db -rm -f ns3/expiring.example.db ns3/nosign.example.db -rm -f ns3/future.example.db ns3/trusted-future.key -rm -f ns3/inline.example.db.signed -rm -f ns3/kskonly.example.db -rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower -rm -f ns3/managed-future.example.db -rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db -rm -f ns3/nsec3.nsec3.example.db -rm -f ns3/nsec3.optout.example.db -rm -f ns3/optout-unknown.example.db ns3/optout.example.db -rm -f ns3/optout.nsec3.example.db -rm -f ns3/optout.optout.example.db -rm -f ns3/publish-inactive.example.db -rm -f ns3/revkey.example.db -rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db -rm -f ns3/secure.below-cname.example.db -rm -f ns3/secure.nsec3.example.db -rm -f ns3/secure.optout.example.db -rm -f ns3/siginterval.conf -rm -f ns3/siginterval.example.db -rm -f ns3/split-dnssec.example.db -rm -f ns3/split-smart.example.db -rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed -rm -f ns3/ttlpatch.example.db.patched -rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db -rm -f ns4/managed-keys.bind* -rm -f ns4/named_dump.db -rm -f ns6/optout-tld.db -rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk -rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit -rm -f nsupdate.out* -rm -f python.out.* -rm -f rndc.out.* -rm -f signer/*.db -rm -f signer/*.signed.post* -rm -f signer/*.signed.pre* -rm -f signer/example.db.after signer/example.db.before -rm -f signer/example.db.changed -rm -f signer/general/dsset* -rm -f signer/general/signed.zone -rm -f signer/general/signer.out.* -rm -f signer/nsec3param.out -rm -f signer/signer.out.* -rm -f signing.out* +rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed +rm -f ./*/example.bk +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run +rm -f ./*/named.secroots +rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk +rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf +rm -f ./Kexample.* +rm -f ./canonical?.* +rm -f ./delv.out* +rm -f ./delve.out* +rm -f ./dig.out.* +rm -f ./dsfromkey.out.* +rm -f ./keygen.err +rm -f ./named.secroots.test* +rm -f ./nosign.before +rm -f ./ns*/*.nta +rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys* +rm -f ./ns*/named.lock +rm -f ./ns1/managed.key.id +rm -f ./ns1/root.db ./ns2/example.db ./ns3/secure.example.db +rm -f ./ns2/algroll.db +rm -f ./ns2/badparam.db ./ns2/badparam.db.bad +rm -f ./ns2/cdnskey-kskonly.secure.db +rm -f ./ns2/cdnskey-update.secure.db +rm -f ./ns2/cdnskey-x.secure.db +rm -f ./ns2/cdnskey.secure.db +rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl +rm -f ./ns2/cds-kskonly.secure.db +rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl +rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db +rm -f ./ns2/dlv.db +rm -f ./ns2/in-addr.arpa.db +rm -f ./ns2/nsec3chain-test.db +rm -f ./ns2/private.secure.example.db +rm -f ./ns2/single-nsec3.db +rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db +rm -f ./ns3/badds.example.db +rm -f ./ns3/dname-at-apex-nsec3.example.db +rm -f ./ns3/dnskey-nsec3-unknown.example.db +rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp +rm -f ./ns3/dnskey-unknown.example.db +rm -f ./ns3/dnskey-unknown.example.db.tmp +rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl +rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db +rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db +rm -f ./ns3/future.example.db ./ns3/trusted-future.key +rm -f ./ns3/inline.example.db.signed +rm -f ./ns3/kskonly.example.db +rm -f ./ns3/lower.example.db ./ns3/upper.example.db ./ns3/upper.example.db.lower +rm -f ./ns3/managed-future.example.db +rm -f ./ns3/multiple.example.db ./ns3/nsec3-unknown.example.db ./ns3/nsec3.example.db +rm -f ./ns3/nsec3.nsec3.example.db +rm -f ./ns3/nsec3.optout.example.db +rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db +rm -f ./ns3/optout.nsec3.example.db +rm -f ./ns3/optout.optout.example.db +rm -f ./ns3/publish-inactive.example.db +rm -f ./ns3/revkey.example.db +rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db +rm -f ./ns3/secure.below-cname.example.db +rm -f ./ns3/secure.nsec3.example.db +rm -f ./ns3/secure.optout.example.db +rm -f ./ns3/siginterval.conf +rm -f ./ns3/siginterval.example.db +rm -f ./ns3/split-dnssec.example.db +rm -f ./ns3/split-smart.example.db +rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed +rm -f ./ns3/ttlpatch.example.db.patched +rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db +rm -f ./ns4/managed-keys.bind* +rm -f ./ns4/named_dump.db +rm -f ./ns6/optout-tld.db +rm -f ./ns7/multiple.example.bk ./ns7/nsec3.example.bk ./ns7/optout.example.bk +rm -f ./ns7/split-rrsig.db ./ns7/split-rrsig.db.unsplit +rm -f ./nsupdate.out* +rm -f ./python.out.* +rm -f ./rndc.out.* +rm -f ./signer/*.db +rm -f ./signer/*.signed.post* +rm -f ./signer/*.signed.pre* +rm -f ./signer/example.db.after ./signer/example.db.before +rm -f ./signer/example.db.changed +rm -f ./signer/general/dsset* +rm -f ./signer/general/signed.zone +rm -f ./signer/general/signer.out.* +rm -f ./signer/nsec3param.out +rm -f ./signer/signer.out.* +rm -f ./signing.out* diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 2f091cb053d..88206b7d0ad 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -9,8 +9,8 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" zone=. infile=root.db.in @@ -20,21 +20,21 @@ zonefile=root.db (cd ../ns6 && $SHELL sign.sh ) (cd ../ns7 && $SHELL sign.sh ) -cp ../ns2/dsset-example$TP . -cp ../ns2/dsset-dlv$TP . -cp ../ns2/dsset-in-addr.arpa$TP . +cp "../ns2/dsset-example$TP" . +cp "../ns2/dsset-dlv$TP" . +cp "../ns2/dsset-in-addr.arpa$TP" . -grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP -cp ../ns6/dsset-optout-tld$TP . +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP" +cp "../ns6/dsset-optout-tld$TP" . -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key > $zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null # Configure the resolving server with a trusted key. -keyfile_to_trusted_keys $keyname > trusted.conf +keyfile_to_trusted_keys "$keyname" > trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf @@ -42,12 +42,11 @@ cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf # ...or with a managed key. -keyfile_to_managed_keys $keyname > managed.conf +keyfile_to_managed_keys "$keyname" > managed.conf cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # -keyid=`expr $keyname : 'K.+001+\(.*\)'` -keyid=`expr $keyid + 0` -echo "$keyid" > managed.key.id + +echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 26b8a3c7dfa..0e98371df76 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -9,8 +9,8 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" zone=example. infile=example.db.in @@ -27,21 +27,23 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ dnskey-unknown dnskey-nsec3-unknown managed-future revkey \ dname-at-apex-nsec3 do - cp ../ns3/dsset-$subdomain.example$TP . + cp "../ns3/dsset-$subdomain.example$TP" . done -keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` -keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat $infile $keyname1.key $keyname2.key >$zonefile +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null # # lower/uppercase the signature bits with the exception of the last characters # changing the last 4 characters will lead to a bad base64 encoding. # -$CHECKZONE -D -q -i local $zone $zonefile.signed | + +zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { @@ -81,7 +83,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { next; } -{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed +{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" # # signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. @@ -90,11 +92,11 @@ zone=in-addr.arpa. infile=in-addr.arpa.db.in zonefile=in-addr.arpa.db -keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` -keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null # Sign the privately secure file @@ -102,25 +104,24 @@ privzone=private.secure.example. privinfile=private.secure.example.db.in privzonefile=private.secure.example.db -privkeyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $privzone` +privkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$privzone") -cat $privinfile $privkeyname.key >$privzonefile +cat "$privinfile" "$privkeyname.key" > "$privzonefile" -$SIGNER -P -g -o $privzone -l dlv $privzonefile > /dev/null +"$SIGNER" -P -g -o "$privzone" -l dlv "$privzonefile" > /dev/null # Sign the DLV secure zone. - dlvzone=dlv. dlvinfile=dlv.db.in dlvzonefile=dlv.db -dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP +dlvsetfile="dlvset-$(echo "$privzone" |sed -e "s/\\.$//g")$TP" -dlvkeyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $dlvzone` +dlvkeyname=$("$KEYGEN" -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone "$dlvzone") -cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile +cat "$dlvinfile" "$dlvkeyname.key" "$dlvsetfile" > "$dlvzonefile" -$SIGNER -P -g -o $dlvzone $dlvzonefile > /dev/null +"$SIGNER" -P -g -o "$dlvzone" "$dlvzonefile" > /dev/null # Sign the badparam secure file @@ -128,14 +129,14 @@ zone=badparam. infile=badparam.db.in zonefile=badparam.db -keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone` -keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname1.key $keyname2.key >$zonefile +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -$SIGNER -P -3 - -H 1 -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null -sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" # Sign the single-nsec3 secure zone with optout @@ -143,12 +144,12 @@ zone=single-nsec3. infile=single-nsec3.db.in zonefile=single-nsec3.db -keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone` -keyname2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname1.key $keyname2.key >$zonefile +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -$SIGNER -P -3 - -A -H 1 -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null # # algroll has just has the old DNSKEY records removed and is waiting @@ -159,14 +160,14 @@ zone=algroll. infile=algroll.db.in zonefile=algroll.db -keyold1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -keyold2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -keynew1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -fk $zone` -keynew2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` +keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") +keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") +keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keynew1.key $keynew2.key >$zonefile +cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" -$SIGNER -P -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null +"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null # # Make a zone big enough that it takes several seconds to generate a new @@ -174,103 +175,104 @@ $SIGNER -P -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 # zone=nsec3chain-test zonefile=nsec3chain-test.db -cat > $zonefile << 'EOF' -$TTL 10 +cat > "$zonefile" << EOF +\$TTL 10 @ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 @ 10 NS ns2 @ 10 NS ns3 ns2 10 A 10.53.0.2 ns3 10 A 10.53.0.3 EOF -awk 'END { for (i = 0; i < 300; i++) - print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile -key1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` -cat $key1.key $key2.key >> $zonefile -$SIGNER -P -3 - -A -H 1 -g -o $zone -k $key1 $zonefile $key2 > /dev/null +for i in $(seq 300); do + echo "host$i 10 IN NS ns.elsewhere" +done >> "$zonefile" +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$key1.key" "$key2.key" >> "$zonefile" +"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null zone=cds.secure infile=cds.secure.db.in zonefile=cds.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -$DSFROMKEY -C $key1.key > $key1.cds -cat $infile $key1.key $key2.key $key1.cds >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null zone=cds-x.secure infile=cds.secure.db.in zonefile=cds-x.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key3=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -$DSFROMKEY -C $key2.key > $key2.cds -cat $infile $key1.key $key3.key $key2.cds >$zonefile -$SIGNER -P -g -x -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +"$DSFROMKEY" -C "$key2.key" > "$key2.cds" +cat "$infile" "$key1.key" "$key3.key" "$key2.cds" > "$zonefile" +"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null zone=cds-update.secure infile=cds-update.secure.db.in zonefile=cds-update.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $key1.key $key2.key > $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in zonefile=cds-kskonly.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $key1.key $key2.key > $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null zone=cds-auto.secure infile=cds-auto.secure.db.in zonefile=cds-auto.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -$DSFROMKEY -C $key1.key > $key1.cds -cat $infile $key1.cds > $zonefile.signed +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +cat "$infile" "$key1.cds" > "$zonefile.signed" zone=cdnskey.secure infile=cdnskey.secure.db.in zonefile=cdnskey.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds -cat $infile $key1.key $key2.key $key1.cds >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null zone=cdnskey-x.secure infile=cdnskey.secure.db.in zonefile=cdnskey-x.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key3=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds -cat $infile $key2.key $key3.key $key1.cds >$zonefile -$SIGNER -P -g -x -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" +cat "$infile" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" +"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in zonefile=cdnskey-update.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $key1.key $key2.key > $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in zonefile=cdnskey-kskonly.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $key1.key $key2.key > $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in zonefile=cdnskey-auto.secure.db -key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone` -key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds -cat $infile $key1.cds > $zonefile.signed +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" +cat "$infile" "$key1.cds" > "$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 064909949f9..b0c35d73e03 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -9,58 +9,59 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db -cnameandkey=`$KEYGEN -T KEY -q -a RSASHA1 -b 1024 -n host cnameandkey.$zone` -dnameandkey=`$KEYGEN -T KEY -q -a RSASHA1 -b 1024 -n host dnameandkey.$zone` -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone") +dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile +cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 zone=bogus.example. infile=bogus.example.db.in zonefile=bogus.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 zone=dynamic.example. infile=dynamic.example.db.in zonefile=dynamic.example.db -keyname1=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` -keyname2=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone -f KSK $zone` +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -cat $infile $keyname1.key $keyname2.key >$zonefile +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 zone=keyless.example. infile=generic.example.db.in zonefile=keyless.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # Change the signer field of the a.b.keyless.example SIG A # to point to a provably nonexistent KEY record. -mv $zonefile.signed $zonefile.tmp -<$zonefile.tmp $PERL -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../NXT/;' >$zonefile.signed -rm -f $zonefile.tmp +zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 +mv "$zonefile.signed" "$zonefiletmp" +<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../NXT/;' > "$zonefile.signed" +rm -f "$zonefiletmp" # # NSEC3/NSEC test zone @@ -69,11 +70,11 @@ zone=secure.nsec3.example. infile=secure.nsec3.example.db.in zonefile=secure.nsec3.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # NSEC3/NSEC3 test zone @@ -82,11 +83,11 @@ zone=nsec3.nsec3.example. infile=nsec3.nsec3.example.db.in zonefile=nsec3.nsec3.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 # # OPTOUT/NSEC3 test zone @@ -95,11 +96,11 @@ zone=optout.nsec3.example. infile=optout.nsec3.example.db.in zonefile=optout.nsec3.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -A -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 # # A nsec3 zone (non-optout). @@ -108,11 +109,11 @@ zone=nsec3.example. infile=nsec3.example.db.in zonefile=nsec3.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -g -3 - -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 # # OPTOUT/NSEC test zone @@ -121,11 +122,11 @@ zone=secure.optout.example. infile=secure.optout.example.db.in zonefile=secure.optout.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # OPTOUT/NSEC3 test zone @@ -134,11 +135,11 @@ zone=nsec3.optout.example. infile=nsec3.optout.example.db.in zonefile=nsec3.optout.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 # # OPTOUT/OPTOUT test zone @@ -147,11 +148,11 @@ zone=optout.optout.example. infile=optout.optout.example.db.in zonefile=optout.optout.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -A -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 # # A optout nsec3 zone. @@ -160,11 +161,11 @@ zone=optout.example. infile=optout.example.db.in zonefile=optout.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -g -3 - -A -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -173,11 +174,11 @@ zone=nsec3-unknown.example. infile=nsec3-unknown.example.db.in zonefile=nsec3-unknown.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -U -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null 2>&1 # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -186,11 +187,11 @@ zone=optout-unknown.example. infile=optout-unknown.example.db.in zonefile=optout-unknown.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -U -A -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null 2>&1 # # A zone with a unknown DNSKEY algorithm. @@ -200,16 +201,16 @@ zone=dnskey-unknown.example. infile=dnskey-unknown.example.db.in zonefile=dnskey-unknown.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed -DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP -$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE +DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -219,16 +220,16 @@ zone=dnskey-nsec3-unknown.example. infile=dnskey-nsec3-unknown.example.db.in zonefile=dnskey-nsec3-unknown.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed -DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP -$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE +DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" # # A multiple parameter nsec3 zone. @@ -237,21 +238,21 @@ zone=multiple.example. infile=multiple.example.db.in zonefile=multiple.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 -mv $zonefile.signed $zonefile -$SIGNER -P -u3 - -o $zone $zonefile > /dev/null 2>&1 -mv $zonefile.signed $zonefile -$SIGNER -P -u3 AAAA -o $zone $zonefile > /dev/null 2>&1 -mv $zonefile.signed $zonefile -$SIGNER -P -u3 BBBB -o $zone $zonefile > /dev/null 2>&1 -mv $zonefile.signed $zonefile -$SIGNER -P -u3 CCCC -o $zone $zonefile > /dev/null 2>&1 -mv $zonefile.signed $zonefile -$SIGNER -P -u3 DDDD -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null 2>&1 +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null 2>&1 +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null 2>&1 +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null 2>&1 +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null 2>&1 # # A RSASHA256 zone. @@ -260,11 +261,11 @@ zone=rsasha256.example. infile=rsasha256.example.db.in zonefile=rsasha256.example.db -keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` +keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # A RSASHA512 zone. @@ -273,11 +274,11 @@ zone=rsasha512.example. infile=rsasha512.example.db.in zonefile=rsasha512.example.db -keyname=`$KEYGEN -q -a RSASHA512 -b 1024 -n zone $zone` +keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # A zone with the DNSKEY set only signed by the KSK @@ -286,10 +287,10 @@ zone=kskonly.example. infile=kskonly.example.db.in zonefile=kskonly.example.db -kskname=`$KEYGEN -q -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -x -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null 2>&1 # # A zone with the expired signatures @@ -298,11 +299,11 @@ zone=expired.example. infile=expired.example.db.in zonefile=expired.example.db -kskname=`$KEYGEN -q -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1 -rm -f $kskname.* $zskname.* +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null 2>&1 +rm -f "$kskname.*" "$zskname.*" # # A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. @@ -311,10 +312,10 @@ zone=update-nsec3.example. infile=update-nsec3.example.db.in zonefile=update-nsec3.example.db -kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -3 -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 # # A NSEC signed zone that will have auto-dnssec enabled and @@ -324,12 +325,12 @@ zone=auto-nsec.example. infile=auto-nsec.example.db.in zonefile=auto-nsec.example.db -kskname=`$KEYGEN -q -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -kskname=`$KEYGEN -q -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -339,12 +340,12 @@ zone=auto-nsec3.example. infile=auto-nsec3.example.db.in zonefile=auto-nsec3.example.db -kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -3 -a RSASHA1 $zone` -kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -3 -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 # # Secure below cname test zone. @@ -352,9 +353,9 @@ $SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 zone=secure.below-cname.example. infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $keyname.key >$zonefile -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$keyname.key" > "$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # Patched TTL test zone. @@ -365,11 +366,11 @@ zonefile=ttlpatch.example.db signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $keyname.key >$zonefile +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -f $signedfile -o $zone $zonefile > /dev/null 2>&1 -$CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \ +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null 2>&1 +$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ awk '{$2 = "3600"; print}' > $patchedfile # @@ -380,11 +381,11 @@ infile=split-dnssec.example.db.in zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cat $infile $keyname.key >$zonefile -echo '$INCLUDE "'"$signedfile"'"' >> $zonefile -: > $signedfile -$SIGNER -P -D -o $zone $zonefile > /dev/null 2>&1 +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$keyname.key" > "$zonefile" +echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" +: > "$signedfile" +"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null 2>&1 # # Seperate DNSSEC records smart signing. @@ -394,11 +395,12 @@ infile=split-smart.example.db.in zonefile=split-smart.example.db signedfile=split-smart.example.db.signed -keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone` -cp $infile $zonefile -echo '$INCLUDE "'"$signedfile"'"' >> $zonefile -: > $signedfile -$SIGNER -P -S -D -o $zone $zonefile > /dev/null 2>&1 +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cp "$infile" "$zonefile" +# shellcheck disable=SC2016 +echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" +: > "$signedfile" +"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -407,12 +409,12 @@ zone="expiring.example." infile="expiring.example.db.in" zonefile="expiring.example.db" signedfile="expiring.example.db.signed" -kskname=`$KEYGEN -q -a RSASHA1 $zone` -zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -cp $infile $zonefile -$SIGNER -S -e now+1mi -o $zone $zonefile > /dev/null 2>&1 -mv -f ${zskname}.private ${zskname}.private.moved -mv -f ${kskname}.private ${kskname}.private.moved +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null 2>&1 +mv -f "${zskname}.private" "${zskname}.private.moved" +mv -f "${kskname}.private" "${kskname}.private.moved" # # A zone where the signer's name has been forced to uppercase. @@ -422,10 +424,10 @@ infile="upper.example.db.in" zonefile="upper.example.db" lower="upper.example.db.lower" signedfile="upper.example.db.signed" -kskname=`$KEYGEN -q -a RSASHA1 $zone` -zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -cp $infile $zonefile -$SIGNER -P -S -o $zone -f $lower $zonefile > /dev/null 2>/dev/null +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null 2>/dev/null $CHECKZONE -D upper.example $lower 2>/dev/null | \ sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile @@ -437,10 +439,10 @@ zone="LOWER.EXAMPLE." infile="lower.example.db.in" zonefile="lower.example.db" signedfile="lower.example.db.signed" -kskname=`$KEYGEN -q -a RSASHA1 $zone` -zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -cp $infile $zonefile -$SIGNER -P -S -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null 2>&1 # # Zone with signatures about to expire, and dynamic, but configured @@ -450,10 +452,10 @@ zone="nosign.example." infile="nosign.example.db.in" zonefile="nosign.example.db" signedfile="nosign.example.db.signed" -kskname=`$KEYGEN -q -a RSASHA1 $zone` -zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -cp $infile $zonefile -$SIGNER -S -e now+1mi -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null 2>&1 # preserve a normalized copy of the NS RRSIG for comparison later $CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ @@ -463,8 +465,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ # An inline signing zone # zone=inline.example. -kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -3 -a RSASHA1 $zone` +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # # publish a new key while deactivating another key at the same time. @@ -472,13 +474,13 @@ zskname=`$KEYGEN -q -3 -a RSASHA1 $zone` zone=publish-inactive.example infile=publish-inactive.example.db.in zonefile=publish-inactive.example.db -now=`date -u +%Y%m%d%H%M%S` -kskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -a RSASHA1 -f KSK $zone` -kskname=`$KEYGEN -I $now+90s -q -a RSASHA1 -f KSK $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -cp $infile $zonefile -$SIGNER -S -o $zone $zonefile > /dev/null 2>&1 +now=$(date -u +%Y%m%d%H%M%S) +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null 2>&1 # # A zone which will change its sig-validity-interval @@ -486,9 +488,9 @@ $SIGNER -S -o $zone $zonefile > /dev/null 2>&1 zone=siginterval.example infile=siginterval.example.db.in zonefile=siginterval.example.db -kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone` -zskname=`$KEYGEN -q -3 -a RSASHA1 $zone` -cp $infile $zonefile +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cp "$infile" "$zonefile" # # A zone with a bad DS in the parent @@ -498,11 +500,11 @@ zone=badds.example. infile=bogus.example.db.in zonefile=badds.example.db -keyname=`$KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP # @@ -511,11 +513,11 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP zone=future.example infile=future.example.db.in zonefile=future.example.db -kskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -s +3600 -o $zone $zonefile > /dev/null 2>&1 -cp -f $kskname.key trusted-future.key +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1 +cp -f "$kskname.key" trusted-future.key # # A zone with future signatures. @@ -523,10 +525,10 @@ cp -f $kskname.key trusted-future.key zone=managed-future.example infile=managed-future.example.db.in zonefile=managed-future.example.db -kskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone` -zskname=`$KEYGEN -q -a RSASHA1 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -s +3600 -o $zone $zonefile > /dev/null 2>&1 +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null 2>&1 # # A zone with a revoked key @@ -535,14 +537,13 @@ zone=revkey.example. infile=generic.example.db.in zonefile=revkey.example.db -ksk1=`$KEYGEN -q -a RSASHA1 -3fk $zone` -ksk1=`$REVOKE $ksk1` -ksk2=`$KEYGEN -q -a RSASHA1 -3fk $zone` -zsk1=`$KEYGEN -q -a RSASHA1 -3 $zone` +ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") +ksk1=$("$REVOKE" "$ksk1") +ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") +zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") -cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile - -$SIGNER -P -o $zone $zonefile > /dev/null 2>&1 +cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null 2>&1 # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -550,7 +551,8 @@ $SIGNER -P -o $zone $zonefile > /dev/null 2>&1 zone=dname-at-apex-nsec3.example infile=dname-at-apex-nsec3.example.db.in zonefile=dname-at-apex-nsec3.example.db -kskname=`$KEYGEN -q -a RSASHA256 -3fk $zone` -zskname=`$KEYGEN -q -a RSASHA256 -3 $zone` -cat $infile $kskname.key $zskname.key >$zonefile -$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1 + +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") +cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index 62d79bfd07b..c30b45281f0 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -9,21 +9,25 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" zone=. infile=../ns1/root.db.in zonefile=root.db.signed -keyname=`$KEYGEN -a RSASHA1 -qfk $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") # copy the KSK out first, then revoke it -keyfile_to_managed_keys $keyname > revoked.conf +keyfile_to_managed_keys "$keyname" > revoked.conf -$SETTIME -R now ${keyname}.key > /dev/null +"$SETTIME" -R now "${keyname}.key" > /dev/null # create a current set of keys, and sign the root zone -$KEYGEN -a RSASHA1 -q $zone > /dev/null -$KEYGEN -a RSASHA1 -qfk $zone > /dev/null -$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1 +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null +"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") + +keyfile_to_trusted_keys "$keyname" > trusted.conf diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad deleted file mode 100644 index ed30460bda4..00000000000 --- a/bin/tests/system/dnssec/ns5/trusted.conf.bad +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -trusted-keys { - "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; -}; diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index d9b7a94306d..57e6b57fed9 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -21,7 +21,7 @@ options { listen-on-v6 { none; }; recursion yes; notify yes; - disable-algorithms . { @DEFAULT_ALGORITHM@; }; + disable-algorithms . { @ALTERNATIVE_ALGORITHM@; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv; diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 159ba7337b2..eda6fe9e517 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -9,15 +9,15 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" zone=optout-tld infile=optout-tld.db.in zonefile=optout-tld.db -keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $keyname.key >$zonefile +cat "$infile" "$keyname.key" > "$zonefile" -$SIGNER -P -3 - -A -o $zone $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index c02d54cf0d3..22de377a242 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -9,20 +9,20 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=../.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" zone=split-rrsig infile=split-rrsig.db.in zonefile=split-rrsig.db -k1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` -k2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone` +k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat $infile $k1.key $k2.key >$zonefile +cat "$infile" "$k1.key" "$k2.key" > "$zonefile" -$SIGNER -P -3 - -A -o $zone -O full -f $zonefile.unsplit -e now-3600 -s now-7200 $zonefile > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null awk 'BEGIN { r = ""; } $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } { print } - END { print r }' $zonefile.unsplit > $zonefile.signed + END { print r }' "$zonefile.unsplit" > "$zonefile.signed" diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh index f08c31da6d7..189570e47fb 100644 --- a/bin/tests/system/dnssec/prereq.sh +++ b/bin/tests/system/dnssec/prereq.sh @@ -9,12 +9,13 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" -if $PERL -e 'use Net::DNS;' 2>/dev/null +if "$PERL" -e 'use Net::DNS;' 2>/dev/null then - if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null + # shellcheck disable=SC2016 + if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null then : else diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 870e5396444..7e85031d1be 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -9,10 +9,10 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" -$SHELL clean.sh +$SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf @@ -24,16 +24,22 @@ copy_setports ns5/named1.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf -cd ns1 -$SHELL sign.sh - -echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed -echo "b.bogus.example. A 10.0.0.23" >>../ns3/bogus.example.db.signed -echo "c.bogus.example. A 10.0.0.23" >>../ns3/bogus.example.db.signed - -cd ../ns3 -cp -f siginterval1.conf siginterval.conf - -cd ../ns5 -cp -f trusted.conf.bad trusted.conf -$SHELL sign.sh +( + cd ns1 + $SHELL sign.sh + { + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" + } >>../ns3/bogus.example.db.signed +) + +( + cd ns3 + cp -f siginterval1.conf siginterval.conf +) + +( + cd ns5 + $SHELL sign.sh +) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 520a591b03f..2adaec3a1d3 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -9,25 +9,40 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" status=0 n=1 rm -f dig.out.* -DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -ADDITIONALOPTS="+noall +additional +dnssec -p ${PORT}" -ANSWEROPTS="+noall +answer +dnssec -p ${PORT}" -DELVOPTS="-a ns1/trusted.conf -p ${PORT}" -RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +dig_with_additionalopts() { + "$DIG" +noall +additional +dnssec -p "$PORT" "$@" +} + +dig_with_answeropts() { + "$DIG" +noall +answer +dnssec -p "$PORT" "$@" +} + +delv_with_opts() { + "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" +} + +rndccmd() { + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" +} # convert private-type records to readable form showprivate () { - echo "-- $@ --" - $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | - while read record; do + echo "-- $* --" + dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' | + while read -r record; do + # shellcheck disable=SC2016 $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); @@ -35,43 +50,45 @@ showprivate () { $action = "removing" if $remove; my $state = " (incomplete)"; $state = " (complete)" if $complete; - print ("$action: alg: $alg, key: $key$state\n");' $record + print ("$action: alg: $alg, key: $key$state\n");' "$record" done } # check that signing records are marked as complete checkprivate () { ret=0 - x=`showprivate "$@"` - echo $x | grep incomplete >/dev/null 2>&1 && ret=1 - [ $ret = 1 ] && { + x=$(showprivate "$@") + echo "$x" | grep incomplete >/dev/null 2>&1 && ret=1 + [ "$ret" -eq 1 ] && { echo "$x" echo_i "failed" } - return $ret + return "$ret" } # check that a zone file is raw format, version 0 israw0 () { - cat $1 | $PERL -e 'binmode STDIN; - read(STDIN, $input, 8); - ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 0);' + # shellcheck disable=SC2016 + < "$1" $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' return $? } # check that a zone file is raw format, version 1 israw1 () { - cat $1 | $PERL -e 'binmode STDIN; - read(STDIN, $input, 8); - ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version != 1);' + # shellcheck disable=SC2016 + < "$1" $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 1);' return $? } # strip NS and RRSIG NS from input stripns () { - awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1 + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" } # Check that for a query against a validating resolver where the @@ -79,12 +96,12 @@ stripns () { # in the additional section echo_i "checking that additional glue is returned for unsigned delegation ($n)" ret=0 -$DIG +tcp +dnssec -p ${PORT} a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ns\.insecure\.example\..*A.10\.53\.0\.3" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Check the example. domain @@ -92,748 +109,750 @@ echo_i "checking that zone transfer worked ($n)" for i in 1 2 3 4 5 6 7 8 9 do ret=0 - $DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 - $DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 + dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 - [ $ret = 0 ] && break + [ "$ret" -eq 0 ] && break sleep 1 done digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # test AD bit: # - dig +adflag asks for authentication (ad in response) echo_i "checking AD bit asking for validation ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # test AD bit: # - dig +noadflag echo_i "checking that AD is not set without +adflag or +dnssec ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking for AD in authoritative answer ($n)" ret=0 -$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking positive validation NSEC using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A $DEFAULT_ALGORITHM_NUMBER 2 300 .*" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking positive validation NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking positive validation NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking positive validation OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +SP="[[:space:]]+" if [ -x ${DELV} ] ; then ret=0 echo_i "checking positive validation OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.optout.example > delv.out$n || ret=1 - grep "a.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking positive wildcard validation NSEC ($n)" ret=0 -$DIG $DIGOPTS a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\*\.wild\.example\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 -grep "\*\.wild\.example\..*NSEC z\.example" dig.out.ns4.test$n > /dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive wildcard validation NSEC3 ($n)" ret=0 -$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 - grep "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 + grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 + grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking positive wildcard validation OPTOUT ($n)" ret=0 -$DIG $DIGOPTS a.wild.optout.example. \ +dig_with_opts a.wild.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS a.wild.optout.example. \ +dig_with_opts a.wild.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth q.nsec3.example. \ +dig_with_opts +noauth q.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. \ +dig_with_opts +noauth q.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth q.optout.example. \ +dig_with_opts +noauth q.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.optout.example. \ +dig_with_opts +noauth q.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative wildcard validation NSEC ($n)" ret=0 -$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative wildcard validation NSEC3 ($n)" ret=0 -$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking negative wildcard validation OPTOUT ($n)" ret=0 -$DIG $DIGOPTS b.wild.optout.example. \ +dig_with_opts b.wild.optout.example. \ @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS b.wild.optout.example. \ +dig_with_opts b.wild.optout.example. \ @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi # Check the insecure.example domain echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking 1-server insecurity proof NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking 1-server insecurity proof OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 + delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 -$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ +dig_with_opts q.insecure.example. a @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ +dig_with_opts q.insecure.example. a @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" ret=0 -$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \ +dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.4 \ +dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" ret=0 -$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \ +dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.4 \ +dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - $DELV $DELVOPTS @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 + delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" ret=0 -$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \ +dig_with_opts r.insecure.example. soa @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \ +dig_with_opts r.insecure.example. soa @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" ret=0 -$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.3 \ +dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS r.insecure.nsec3.example. soa @10.53.0.4 \ +dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" ret=0 -$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.3 \ +dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS r.insecure.optout.example. soa @10.53.0.4 \ +dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check the secure.example domain echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.secure.example. \ +dig_with_opts +noauth a.secure.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.secure.example. \ +dig_with_opts +noauth a.secure.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ +dig_with_opts +noauth a.secure.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ +dig_with_opts +noauth a.secure.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ +dig_with_opts +noauth a.nsec3.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ +dig_with_opts +noauth a.nsec3.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ +dig_with_opts +noauth a.optout.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ +dig_with_opts +noauth a.optout.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.secure.optout.example. \ +dig_with_opts +noauth a.secure.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.secure.optout.example. \ +dig_with_opts +noauth a.secure.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ +dig_with_opts +noauth a.nsec3.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ +dig_with_opts +noauth a.nsec3.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.optout.optout.example. \ +dig_with_opts +noauth a.optout.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.optout.optout.example. \ +dig_with_opts +noauth a.optout.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth empty.optout.example. \ +dig_with_opts +noauth empty.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth empty.optout.example. \ +dig_with_opts +noauth empty.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check the bogus domain echo_i "checking failed validation ($n)" ret=0 -$DIG $DIGOPTS a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking failed validation using dns_client ($n)" - $DELV $DELVOPTS +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 + delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi # Try validating with a bad trusted key. @@ -841,290 +860,290 @@ fi echo_i "checking that validation fails with a misconfigured trusted key ($n)" ret=0 -$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" ret=0 -$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" ret=0 -$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that validation fails when key record is missing ($n)" ret=0 -$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking that validation fails when key record is missing using dns_client ($n)" - $DELV $DELVOPTS +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 + delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking that validation succeeds when a revoked key is encountered ($n)" ret=0 -$DIG $DIGOPTS revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) if [ -x ${DELV} ] ; then ret=0 echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - $DELV $DELVOPTS +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 + delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 grep "fully validated" delv.out$n > /dev/null || ret=1 - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime -$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="a.example. 10.0.0.1" -ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1 +ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 test "$ans" = "$expect" || ret=1 -test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" ret=0 #prime -$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="example. a.example. 10.0.0.1" -ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1 +ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret=1 test "$ans" = "$expect" || ret=1 -test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check the insecure.secure.example domain (insecurity proof) echo_i "checking 2-server insecurity proof ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ +dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ +dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check a negative response in insecure.secure.example echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ +dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ || ret=1 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ +dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" ret=0 -$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ +dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ || ret=1 -$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ +dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check that the query for a security root is successful and has ad set echo_i "checking security root query ($n)" ret=0 -$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check that the setting the cd bit works echo_i "checking cd bit on a positive answer ($n)" ret=0 -$DIG $DIGOPTS +noauth example. soa @10.53.0.4 \ +dig_with_opts +noauth example. soa @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 -$DIG $DIGOPTS +noauth +cdflag example. soa @10.53.0.5 \ +dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ > dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking cd bit on a negative answer ($n)" ret=0 -$DIG $DIGOPTS q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -$DIG $DIGOPTS +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" ret=0 -$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking cd bit on a query that should fail ($n)" ret=0 -$DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \ +dig_with_opts a.bogus.example. soa @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 -$DIG $DIGOPTS +cdflag a.bogus.example. soa @10.53.0.5 \ +dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ > dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking cd bit on an insecurity proof ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \ +dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 -$DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ +dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ > dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - these are looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking cd bit on a negative insecurity proof ($n)" ret=0 -$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ +dig_with_opts q.insecure.example. a @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 -$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \ +dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ > dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - these are looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that validation of an ANY query works ($n)" ret=0 -$DIG $DIGOPTS +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # 2 records in the zone, 1 NXT, 3 SIGs grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that validation of a query returning a CNAME works ($n)" ret=0 -$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.2 \ +dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth cname1.example. txt @10.53.0.4 \ +dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # the CNAME & its sig, the TXT and its SIG grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that validation of a query returning a DNAME works ($n)" ret=0 -$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.2 \ +dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth foo.dname1.example. txt @10.53.0.4 \ +dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -1132,122 +1151,122 @@ grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # It would be nice to test that the CNAME is being synthesized by the # recursive server and not cached, but I don't know how. grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that validation of an ANY query returning a CNAME works ($n)" ret=0 -$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.2 \ +dig_with_opts +noauth cname2.example. any @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth cname2.example. any @10.53.0.4 \ +dig_with_opts +noauth cname2.example. any @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # The CNAME, NXT, and their SIGs grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that validation of an ANY query returning a DNAME works ($n)" ret=0 -$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.2 \ +dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth foo.dname2.example. any @10.53.0.4 \ +dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that positive validation in a privately secure zone works ($n)" ret=0 -$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ +dig_with_opts +noauth a.private.secure.example. a @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ +dig_with_opts +noauth a.private.secure.example. a @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that negative validation in a privately secure zone works ($n)" ret=0 -$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ +dig_with_opts +noauth q.private.secure.example. a @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ +dig_with_opts +noauth q.private.secure.example. a @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that lookups succeed after disabling an algorithm ($n)" ret=0 -$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \ +dig_with_opts +noauth example. SOA @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \ +dig_with_opts +noauth example. SOA @10.53.0.6 \ > dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking privately secure to nxdomain works ($n)" ret=0 -$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ +dig_with_opts +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking privately secure wildcard to nxdomain works ($n)" ret=0 -$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ +dig_with_opts +noauth a.wild.private.secure.example. SOA @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 # Note - this is looking for failure, hence the && grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking a non-cachable NODATA works ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \ +dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ > dig.out.ns7.test$n || ret=1 grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \ +dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking a non-cachable NXDOMAIN works ($n)" ret=0 -$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \ +dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ > dig.out.ns7.test$n || ret=1 grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \ +dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ > dig.out.ns4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # # private.secure.example is served by the same server as its @@ -1257,150 +1276,150 @@ status=`expr $status + $ret` # echo_i "checking dnssec-lookaside-validation works ($n)" ret=0 -$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ +dig_with_opts private.secure.example. SOA @10.53.0.6 \ > dig.out.ns6.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that we can load a rfc2535 signed zone ($n)" ret=0 -$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ +dig_with_opts rfc2535.example. SOA @10.53.0.2 \ > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that we can transfer a rfc2535 signed zone ($n)" ret=0 -$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ +dig_with_opts rfc2535.example. SOA @10.53.0.3 \ > dig.out.ns3.test$n || ret=1 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "basic dnssec-signzone checks:" echo_i " two DNSKEYs ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n 2>&1 test -f signed.zone ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " one non-KSK DNSKEY ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n 2>&1 test -f signed.zone ) && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " one KSK DNSKEY ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n 2>&1 test -f signed.zone ) && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " three DNSKEY ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n 2>&1 test -f signed.zone ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " three DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n 2>&1 test -f signed.zone ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " four DNSKEY ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n 2>&1 test -f signed.zone ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " two DNSKEY, both private keys missing ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n 2>&1 test -f signed.zone ) && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i " two DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general +cd signer/general || exit 1 rm -f signed.zone $SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n 2>&1 test -f signed.zone ) && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 zone=example -key1=`$KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -key2=`$KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` +key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( -cd signer -cat example.db.in $key1.key $key2.key > example.db +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db $SIGNER -o example -f example.db example.db > /dev/null 2>&1 ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" ret=0 zone=example -key1=`$KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -key2=`$KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` +key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( -cd signer -cat example.db.in $key1.key $key2.key > example.db +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db $SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1 awk '/^IQF9LQTLK/ { printf("%s", $0); @@ -1414,18 +1433,18 @@ awk '/^IQF9LQTLK/ { grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" ret=0 zone=example -key1=`$KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone` -key2=`$KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone` +key1=$($KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone) ( -cd signer -cat example.db.in $key1.key $key2.key > example3.db +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example3.db echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null 2>&1 awk '/^IQF9LQTLK/ { @@ -1440,117 +1459,116 @@ awk '/^IQF9LQTLK/ { grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null ) || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that dnsssec-signzone updates originalttl on ttl changes ($n)" ret=0 zone=example -key1=`$KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone` -key2=`$KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone` +key1=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) ( -cd signer -cat example.db.in $key1.key $key2.key > example.db +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db $SIGNER -o example -f example.db.before example.db > /dev/null 2>&1 sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed $SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1 ) grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" ret=0 zone=example -key1=`$KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone` -key2=`$KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone` -keyid2=`echo $key2 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` -key3=`$KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone` -keyid3=`echo $key3 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'` +key1=$($KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone) +key2=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) +keyid2=$(echo "$key2" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/') +key3=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone) +keyid3=$(echo "$key3" | sed 's/^Kexample.+005+0*\([0-9]\)/\1/') ( -cd signer -cat example.db.in $key1.key $key2.key > example.db +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db $SIGNER -D -o example example.db > /dev/null 2>&1 # now switch out key2 for key3 and resign the zone -cat example.db.in $key1.key $key3.key > example.db -echo '$INCLUDE "example.db.signed"' >> example.db +cat example.db.in "$key1.key" "$key3.key" > example.db +echo "\$INCLUDE \"example.db.signed\"" >> example.db $SIGNER -D -o example example.db > /dev/null 2>&1 ) || ret=1 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( -cd signer +cd signer || exit 1 $SIGNER -RD -o example example.db > /dev/null 2>&1 ) || ret=1 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" ret=0 zone=example ( -cd signer +cd signer || exit 1 cp -f example.db.in example.db $SIGNER -SD -o example example.db > /dev/null 2>&1 -echo '$INCLUDE "example.db.signed"' >> example.db +echo "\$INCLUDE \"example.db.signed\"" >> example.db # now retire key2 and resign the zone -$SETTIME -I now $key2 > /dev/null 2>&1 +$SETTIME -I now "$key2" > /dev/null 2>&1 $SIGNER -SD -o example example.db > /dev/null 2>&1 ) || ret=1 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 || ret=1 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( -cd signer +cd signer || exit 1 $SIGNER -SDQ -o example example.db > /dev/null 2>&1 ) || ret=1 grep " $keyid2 " signer/example.db.signed > /dev/null 2>&1 && ret=1 grep " $keyid3 " signer/example.db.signed > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( -cd signer +cd signer || exit 1 $SIGNER -Sxt -o example example.db > signer.out.1 2>&1 $SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1 ) || ret=1 -gen1=`awk '/generated/ {print $3}' signer/signer.out.1` -retain1=`awk '/retained/ {print $3}' signer/signer.out.1` -drop1=`awk '/dropped/ {print $3}' signer/signer.out.1` -gen2=`awk '/generated/ {print $3}' signer/signer.out.2` -retain2=`awk '/retained/ {print $3}' signer/signer.out.2` -drop2=`awk '/dropped/ {print $3}' signer/signer.out.2` -[ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1 +gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) +retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) +gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) +retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) +drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) +[ "$retain2" -eq $((gen1+retain1)) ] || ret=1 [ "$gen2" -eq 0 ] || ret=1 [ "$drop2" -eq 0 ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" ret=0 ( -cd signer +cd signer || exit 1 # remove NSEC-only keys rm -f Kexample.+005* cp -f example.db.in example2.db @@ -1558,14 +1576,14 @@ cat << EOF >> example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo '$INCLUDE "example2.db.signed"' >> example2.db +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db touch example2.db.signed $SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 ) || ret=1 -grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 ( -cd signer +cd signer || exit 1 cp -f example.db.in example2.db cat << EOF >> example2.db sub1.example. IN NS sub1.example. @@ -1573,33 +1591,33 @@ sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo '$INCLUDE "example2.db.signed"' >> example2.db +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db $SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 ) || ret=1 -grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" ret=0 ( -cd signer +cd signer || exit 1 rm -f example2.db.signed cp -f example.db.in example2.db cat << EOF >> example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo '$INCLUDE "example2.db.signed"' >> example2.db +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db touch example2.db.signed $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 ) || ret=1 -grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 ( -cd signer +cd signer || exit 1 cp -f example.db.in example2.db cat << EOF >> example2.db sub1.example. IN NS sub1.example. @@ -1607,19 +1625,19 @@ sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo '$INCLUDE "example2.db.signed"' >> example2.db +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null 2>&1 ) || ret=1 -grep "^sub1\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\.sub2\.example\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone output format ($n)" ret=0 ( -cd signer +cd signer || exit 1 $SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null $SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null 2>&1 @@ -1631,147 +1649,148 @@ awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( -cd signer +cd signer || exit 1 $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null 2>&1 ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( -cd signer +cd signer || exit 1 $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null 2>&1 ) || ret=1 -now=`$PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];'` -serial=`awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9` +# shellcheck disable=SC2016 +now=$($PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') +serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) [ "$now" -eq "$serial" ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 -$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" ret=0 -$RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i -keyid=`cat ns1/managed.key.id` +rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i +keyid=$(cat ns1/managed.key.id) cp ns4/named.secroots named.secroots.test$n -linecount=`grep "./${DEFAULT_ALGORITHM}/$keyid ; trusted" named.secroots.test$n | wc -l` +linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; trusted" named.secroots.test$n) [ "$linecount" -eq 1 ] || ret=1 -linecount=`cat named.secroots.test$n | wc -l` +linecount=$(< named.secroots.test$n wc -l) [ "$linecount" -eq 10 ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check direct query for RRSIG. If we first ask for normal (non RRSIG) # record, the corresponding RRSIG should be cached and subsequent query # for RRSIG will be returned with the cached record. echo_i "checking RRSIG query from cache ($n)" ret=0 -$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 -ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1 -expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 +ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 +expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1 test "$ans" = "$expect" || ret=1 # also check that RA is set -$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Check direct query for RRSIG: If it's not cached with other records, # it should result in an empty response. echo_i "checking RRSIG query not in cache ($n)" ret=0 -ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1 +ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 test -z "$ans" || ret=1 # also check that RA is cleared -$DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # # RT21868 regression test. # echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" ret=0 -$DIG $DIGOPTS non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # # RT22007 regression test. # echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" ret=0 -$DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" ret=0 -$DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" ret=0 -$DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) -echo_i "checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)" +echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" ret=0 -$DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking validate-except in an insecure local domain ($n)" ret=0 -$DIG $DIGOPTS ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive and negative validation with negative trust anchors ($n)" ret=0 @@ -1779,64 +1798,65 @@ ret=0 # # check correct initial behavior # -$DIG $DIGOPTS a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 -$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed - checking initial state"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi +status=$((status+ret)) ret=0 # # add negative trust anchors # -$RNDCCMD 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i # reconfig should maintain NTAs -$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -lines=`wc -l < rndc.out.ns4.test$n.1` +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +lines=$(wc -l < rndc.out.ns4.test$n.1) [ "$lines" -eq 2 ] || ret=1 -$RNDCCMD 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i # reload should maintain NTAs -$RNDCCMD 10.53.0.4 reload 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 -lines=`wc -l < rndc.out.ns4.test$n.2` +rndccmd 10.53.0.4 reload 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +lines=$(wc -l < rndc.out.ns4.test$n.2) [ "$lines" -eq 4 ] || ret=1 -start=`$PERL -e 'print time()."\n";'` +# shellcheck disable=SC2016 +start=$($PERL -e 'print time()."\n";') -if [ $ret != 0 ]; then echo_i "failed - adding NTA's failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - adding NTA's failed"; fi +status=$((status+ret)) ret=0 # # check behavior with NTA's in place # -$DIG $DIGOPTS a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 -$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 -$DIG $DIGOPTS a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 +dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 echo_i "dumping secroots" -$RNDCCMD 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i grep "bogus.example: expiry" ns4/named.secroots > /dev/null || ret=1 grep "badds.example: expiry" ns4/named.secroots > /dev/null || ret=1 grep "secure.example: expiry" ns4/named.secroots > /dev/null || ret=1 grep "fakenode.secure.example: expiry" ns4/named.secroots > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi +status=$((status+ret)) ret=0 echo_i "waiting for NTA rechecks/expirations" @@ -1848,19 +1868,20 @@ echo_i "waiting for NTA rechecks/expirations" # fakenode.secure.example should both be lifted, but badds.example # should still be going. # -$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -$DIG $DIGOPTS b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 -$DIG $DIGOPTS b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 +dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 -$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi +status=$((status+ret)) ret=0 # @@ -1868,133 +1889,135 @@ ret=0 # it should still be NTA'd, but badds.example used the default # lifetime of 10s, so it should revert to SERVFAIL now. # -$PERL -e 'my $delay = '$start' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check nta table -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 -lines=`grep " expiry " rndc.out.ns4.test$n._11 | wc -l` +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +lines=$(grep -c " expiry " rndc.out.ns4.test$n._11) [ "$lines" -le 2 ] || ret=1 grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 -$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 -$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 -$DIG $DIGOPTS c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 +dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi +status=$((status+ret)) ret=0 # # at t=21, all the NTAs should have expired. # -$PERL -e 'my $delay = '$start' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check correct behavior after bogus.example expiry -$DIG $DIGOPTS d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 +dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 -$DIG $DIGOPTS c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 +dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 # check nta table has been cleaned up now -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -lines=`grep " expiry " rndc.out.ns4.test$n.3 | wc -l` +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +lines=$(grep -c " expiry " rndc.out.ns4.test$n.3) [ "$lines" -eq 0 ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=`expr $status + $ret` +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi +status=$((status+ret)) ret=0 echo_i "testing NTA removals ($n)" -$RNDCCMD 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 -$RNDCCMD 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 +rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 -$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) ret=0 echo_i "remove non-existent NTA three times" -$RNDCCMD 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 -$RNDCCMD 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 -$RNDCCMD 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 +rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 +rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 +rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) ret=0 -n=`expr $n + 1` +n=$((n+1)) echo_i "testing NTA with bogus lifetimes ($n)" echo_i "check with no nta lifetime specified" -$RNDCCMD 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 +rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) ret=0 echo_i "check with bad nta lifetime" -$RNDCCMD 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 +rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) ret=0 echo_i "check with too long nta lifetime" -$RNDCCMD 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 +rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) ret=0 # # check NTA persistence across restarts # -n=`expr $n + 1` +n=$((n+1)) echo_i "testing NTA persistence across restarts ($n)" -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -lines=`grep " expiry " rndc.out.ns4.test$n.1 | wc -l` +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +lines=$(grep -c " expiry " rndc.out.ns4.test$n.1) [ "$lines" -eq 0 ] || ret=1 -$RNDCCMD 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 -lines=`grep " expiry " rndc.out.ns4.test$n.2 | wc -l` +rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +lines=$(grep -c " expiry " rndc.out.ns4.test$n.2) [ "$lines" -eq 2 ] || ret=1 -start=`$PERL -e 'print time()."\n";'` +# shellcheck disable=SC2016 +start=$($PERL -e 'print time()."\n";') -if [ $ret != 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi +status=$((status+ret)) ret=0 echo_i "killing ns4 with SIGTERM" -cd ns4 -$KILL -TERM `cat named.pid` -rm -f named.pid -cd .. +$KILL -TERM "$(cat ns4/named.pid)" +rm -f ns4/named.pid # # ns4 has now shutdown. wait until t=14 when badds.example's NTA # (lifetime=10s) would have expired, and then restart ns4. # echo_i "waiting till 14s have passed since NTAs were added before restarting ns4" -$PERL -e 'my $delay = '$start' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' if - $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns4 + $PERL "$SYSTEMTESTTOP/start.pl" --noclean --restart --port "$PORT" dnssec ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2006,43 +2029,41 @@ sleep 4 # startup (as it had already expired), the fact that it's ignored should # be logged. # -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -lines=`wc -l < rndc.out.ns4.test$n.3` +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +lines=$(wc -l < rndc.out.ns4.test$n.3) [ "$lines" -eq 1 ] || ret=1 grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1 -$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 # cleanup -$RNDCCMD 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 +rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 -if [ $ret != 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi +status=$((status+ret)) ret=0 # # check "regular" attribute in NTA file works as expected at named # startup. # -n=`expr $n + 1` +n=$((n+1)) echo_i "testing loading regular attribute from NTA file ($n)" -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=`wc -l < rndc.out.ns4.test$n.1` +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l < rndc.out.ns4.test$n.1) [ "$lines" -eq 0 ] || ret=1 # initially, secure.example. validates with AD=1 -$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 echo_i "killing ns4 with SIGTERM" -cd ns4 -$KILL -TERM `cat named.pid` -rm -f named.pid -cd .. +$KILL -TERM "$(cat ns4/named.pid)" +rm -f ns4/named.pid echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" sleep 4 @@ -2051,57 +2072,56 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the regular attribute and some future timestamp. # -year=`date +%Y` -future="`expr 20 + ${year}`0101010000" +future="$(($(date +%Y)+20))0101010000" echo "secure.example. regular $future" > ns4/_default.nta -start=`$PERL -e 'print time()."\n";'` +# shellcheck disable=SC2016 +start=$($PERL -e 'print time()."\n";') if - $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns4 + $PERL "$SYSTEMTESTTOP/start.pl" --noclean --restart --port "$PORT" dnssec ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 7s, so at t=10 the NTAs for # secure.example. should be lifted as it is not a forced NTA. echo_i "waiting till 10s have passed after ns4 was restarted" -$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # secure.example. should now return an AD=1 answer (still validates) as # the NTA has been lifted. -$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 # cleanup -$RNDCCMD 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null -if [ $ret != 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi +status=$((status+ret)) ret=0 # # check "forced" attribute in NTA file works as expected at named # startup. # -n=`expr $n + 1` +n=$((n+1)) echo_i "testing loading forced attribute from NTA file ($n)" -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=`wc -l < rndc.out.ns4.test$n.1` +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l < rndc.out.ns4.test$n.1) [ "$lines" -eq 0 ] || ret=1 # initially, secure.example. validates with AD=1 -$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 echo_i "killing ns4 with SIGTERM" -cd ns4 -$KILL -TERM `cat named.pid` +$KILL -TERM "$(cat ns4/named.pid)" rm -f named.pid -cd .. echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" sleep 4 @@ -2111,46 +2131,45 @@ sleep 4 # _default.nta file with the forced attribute and some future timestamp. # echo "secure.example. forced $future" > ns4/_default.nta -start=`$PERL -e 'print time()."\n";'` +start=$($PERL -e 'print time()."\n";') if - $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns4 + $PERL "$SYSTEMTESTTOP/start.pl" --noclean --restart --port "$PORT" dnssec ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 7s, but even at t=10 the NTAs for # secure.example. should not be lifted as it is a forced NTA. echo_i "waiting till 10s have passed after ns4 was restarted" -$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # secure.example. should now return an AD=0 answer (non-authenticated) # as the NTA is still there. -$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 # cleanup -$RNDCCMD 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null -if [ $ret != 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi +status=$((status+ret)) ret=0 # # check that NTA lifetime read from file is clamped to 1 week. # -n=`expr $n + 1` +n=$((n+1)) echo_i "testing loading out of bounds lifetime from NTA file ($n)" echo_i "killing ns4 with SIGTERM" -cd ns4 -$KILL -TERM `cat named.pid` -rm -f named.pid -cd .. +$KILL -TERM "$(cat ns4/named.pid)" +rm -f ns4/named.pid echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" sleep 4 @@ -2160,15 +2179,15 @@ sleep 4 # _default.nta file with a lifetime well into the future. # echo "secure.example. forced $future" > ns4/_default.nta -added=`$PERL -e 'print time()."\n";'` +added=$($PERL -e 'print time()."\n";') if - $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns4 + $PERL "$SYSTEMTESTTOP/start.pl" --noclean --restart --port "$PORT" dnssec ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2176,35 +2195,35 @@ sleep 4 # dump the NTA to a file (omit validate-except entries) echo_i "testing 'rndc nta'" -$RNDCCMD 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # omitted. only "secure.example" should be in the dump at this point. -lines=`wc -l < rndc.out.ns4.test$n.1` +lines=$(wc -l < rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1 -ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1` +ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1) # rndc nta outputs localtime, so append the timezone -ts_with_zone="$ts `date +%z`" +ts_with_zone="$ts $(date +%z)" echo "ts=$ts" > rndc.out.ns4.test$n.2 echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 echo "added=$added" >> rndc.out.ns4.test$n.2 if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null then # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=`$PERL ./ntadiff.pl "$ts_with_zone" "$added"` + d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") echo "d=$d" >> rndc.out.ns4.test$n.2 # diff from $added(now) + 1week to the clamped NTA lifetime should be # less than a few seconds (handle daylight saving changes by adding 3600). - [ $d -lt 3610 ] || ret=1 + [ "$d" -lt 3610 ] || ret=1 else echo_i "skipped ntadiff test; install PERL module Time::Piece" fi # cleanup -$RNDCCMD 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null -if [ $ret != 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi -status=`expr $status + $ret` +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi +status=$((status+ret)) ret=0 echo_i "completed NTA tests" @@ -2216,159 +2235,159 @@ if $PERL -e 'use Net::DNS;' 2>/dev/null then echo_i "running DNSSEC update test" ret=0 - { - $PERL dnssec_update_test.pl -s 10.53.0.3 -p ${PORT} dynamic.example. || ret=1 - } | cat_i + output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) + test "$?" -eq 0 || ret=1 + echo "$output" | cat_i [ $ret -eq 1 ] && status=1 else echo_i "The DNSSEC update test requires the Net::DNS library." >&2 fi -n=`expr $n + 1` +n=$((n+1)) echo_i "checking managed key maintenance has not started yet ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. echo_i "switching to automatic root key configuration" copy_setports ns4/named2.conf.in ns4/named.conf -$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i sleep 5 echo_i "checking managed key maintenance timer has now started ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.nsec3.example. \ +dig_with_opts +noauth a.nsec3.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.optout.example. \ +dig_with_opts +noauth a.optout.example. \ @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking negative validation ($n)" ret=0 -$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that root DS queries validate ($n)" ret=0 -$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" ret=0 -$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1 +dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 -$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking expired signatures do not validate ($n)" ret=0 -$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 -kskname=`$KEYGEN -q -3 -a RSASHA1 -fk update-nsec3.example` +cd ns3 || exit 1 +kskname=$($KEYGEN -q -3 -a RSASHA1 -fk update-nsec3.example) ( echo zone update-nsec3.example -echo server 10.53.0.3 ${PORT} -grep DNSKEY ${kskname}.key | sed -e 's/^/update add /' -e 's/IN/300 IN/' +echo server 10.53.0.3 "$PORT" +grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' echo send ) | $NSUPDATE ) -$DIG $DIGOPTS +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 @@ -2377,96 +2396,96 @@ checkprivate update-nsec3.example 10.53.0.3 || ret=1 checkprivate auto-nsec3.example 10.53.0.3 || ret=1 checkprivate expiring.example 10.53.0.3 || ret=1 checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing' without arguments is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -list' without zone is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') if [ "$salt" = "FFFF" ]; then break; fi @@ -2474,16 +2493,16 @@ for i in 1 2 3 4 5 6 7 8 9 10 ; do sleep 1 done; [ "$salt" = "FFFF" ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') if [ "$salt" = "-" ]; then break; fi @@ -2491,141 +2510,144 @@ for i in 1 2 3 4 5 6 7 8 9 10 ; do sleep 1 done; [ "$salt" = "-" ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` - [ -n "$salt" -a "$salt" != "-" ] && break + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ -n "$salt" ] && [ "$salt" != "-" ] && break echo_i "sleeping ...." sleep 1 done; [ "$salt" != "-" ] || ret=1 -[ `expr "${salt}" : ".*"` -eq 16 ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +[ "${#salt}" -eq 16 ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" ret=0 oldsalt=$salt -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 status > /dev/null || ret=1 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` - [ -n "$salt" -a "$salt" != "$oldsalt" ] && break + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break echo_i "sleeping ...." sleep 1 done; [ "$salt" != "$oldsalt" ] || ret=1 -[ `expr "$salt" : ".*"` -eq 16 ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +[ "${#salt}" -eq 16 ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check rndc signing -list output ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list dynamic.example 2>&1 > signing.out -grep "No signing records found" signing.out > /dev/null 2>&1 || { +{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 +grep -q "No signing records found" signing.out || { ret=1 sed 's/^/ns3 /' signing.out | cat_i } -$RNDCCMD 10.53.0.3 signing -list update-nsec3.example 2>&1 > signing.out -grep "Done signing with key .*/NSEC3RSASHA1" signing.out > /dev/null 2>&1 || { +{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +grep -q "Done signing with key .*/NSEC3RSASHA1" signing.out || { ret=1 sed 's/^/ns3 /' signing.out | cat_i } -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "clear signing records ($n)" -$RNDCCMD 10.53.0.3 signing -clear all update-nsec3.example > /dev/null || ret=1 +{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 sleep 1 -$RNDCCMD 10.53.0.3 signing -list update-nsec3.example 2>&1 > signing.out -grep "No signing records found" signing.out > /dev/null 2>&1 || { +{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +grep -q "No signing records found" signing.out || { ret=1 sed 's/^/ns3 /' signing.out | cat_i } -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that a insecure zone beneath a cname resolves ($n)" ret=0 -$DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that a secure zone beneath a cname resolves ($n)" ret=0 -$DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +my_dig() { + "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" +} echo_i "checking dnskey query with no data still gets put in cache ($n)" ret=0 -myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT} @10.53.0.4" -firstVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` +firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') sleep 1 -secondVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` -if [ ${firstVal:-0} -eq ${secondVal:-0} ] +secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +if [ "${firstVal:-0}" -eq "${secondVal:-0}" ] then sleep 1 - thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '$1 != ";;" { print $2 }'` - if [ ${firstVal:-0} -eq ${thirdVal:-0} ] + thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }') + if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ] then echo_i "cannot confirm query answer still in cache" ret=1 fi fi -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a split dnssec dnssec-signzone work ($n)" ret=0 -$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a smart split dnssec dnssec-signzone work ($n)" ret=0 -$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" ret=0 ( echo zone nsec3chain-test -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 echo send ) | $NSUPDATE for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 do - $DIG $DIGOPTS nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 + dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null then break; @@ -2634,26 +2656,26 @@ do sleep 3 done; grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "nsec3 chain generation not complete"; fi -$DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 -s2=`awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n` +if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi +dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) for i in 1 2 3 4 5 6 7 8 9 10 do - $DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 - s3=`awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n` + dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 + s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) test "$s2" = "$s3" && break sleep 1 done digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 -$DIG $DIGOPTS dnskey algroll. @10.53.0.2 | \ +dig_with_opts dnskey algroll. @10.53.0.2 | \ $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 -NF=`awk '{print NF}' dig.out.ns2.test$n | sort -u` +NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) [ "${NF}" = 7 ] || ret=1 # make canonical awk '{ @@ -2667,316 +2689,316 @@ awk '{ printf("\n"); }' < ns1/dsset-algroll$TP > canonical2.$n || ret=1 diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Intentionally strip ".key" from keyfile name to ensure the error message # includes it anyway to avoid confusion (RT #21731) echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" ret=0 -key=`$KEYGEN -a RSASHA1 -q example.` || ret=1 -mv $key.key $key -$DSFROMKEY $key > dsfromkey.out.$n 2>&1 && ret=1 +key=$($KEYGEN -a RSASHA1 -q example.) || ret=1 +mv "$key.key" "$key" +$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" ret=0 -$DIG $ANSWEROPTS +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 # there must be a signature here [ -s dig.out.ns3.test$n ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing new records are signed with 'no-resign' ($n)" ret=0 ( echo zone nosign.example -echo server 10.53.0.3 ${PORT} +echo server 10.53.0.3 "$PORT" echo update add new.nosign.example 300 in txt "hi there" echo send ) | $NSUPDATE sleep 1 -$DIG $ANSWEROPTS +nottlid txt new.nosign.example @10.53.0.3 \ +dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ > dig.out.ns3.test$n 2>&1 grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" ret=0 -$DIG $ANSWEROPTS +nottlid nosign.example ns @10.53.0.3 | \ +dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 # the NS RRSIG should not be changed cmp -s nosign.before dig.out.ns3.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing updates fail with no private key ($n)" ret=0 rm -f ns3/Knosign.example.*.private ( echo zone nosign.example -echo server 10.53.0.3 ${PORT} +echo server 10.53.0.3 "$PORT" echo update add fail.nosign.example 300 in txt "reject me" echo send ) | $NSUPDATE > /dev/null 2>&1 && ret=1 -$DIG $ANSWEROPTS +nottlid fail.nosign.example txt @10.53.0.3 \ +dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ > dig.out.ns3.test$n 2>&1 [ -s dig.out.ns3.test$n ] && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing legacy upper case signer name validation ($n)" ret=0 -$DIG +tcp +noadd +noauth +dnssec -p ${PORT} soa upper.example @10.53.0.4 \ +$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ > dig.out.ns4.test$n 2>&1 -grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 -grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 +grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing that we lower case signer name ($n)" ret=0 -$DIG +tcp +noadd +noauth +dnssec -p ${PORT} soa LOWER.EXAMPLE @10.53.0.4 \ +$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ > dig.out.ns4.test$n 2>&1 -grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1 -grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 +grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing TTL is capped at RRSIG expiry time ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i ( -cd ns3 +cd ns3 || exit 1 for file in K*.moved; do - mv $file `basename $file .moved` + mv "$file" "$(basename "$file" .moved)" done $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1 ) || ret=1 -$RNDCCMD 10.53.0.3 reload expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.3 reload expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i -$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG $ANSWEROPTS +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ANSWEROPTS expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n -ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` -ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ ${ttl:-0} -eq 300 ] || ret=1 + [ "${ttl:-0}" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ ${ttl:-0} -le 60 ] || ret=1 + [ "${ttl:-0}" -le 60 ] || ret=1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" ret=0 -$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -$DIG $ADDITIONALOPTS +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n -ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` -ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n +dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ ${ttl:-0} -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ ${ttl:-0} -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" ret=0 -$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n -ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` -ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ ${ttl:-0} -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ ${ttl:-0} -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) copy_setports ns4/named3.conf.in ns4/named.conf -$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i sleep 3 echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" ret=0 -$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG $ANSWEROPTS +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ANSWEROPTS expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n -ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` -ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ $ttl -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" ret=0 -$DIG $ANSWEROPTS +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ANSWEROPTS expired.example soa @10.53.0.4 > dig.out.ns4.2.$n -ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` -ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ $ttl -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" ret=0 -$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n -ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` -ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_answeropts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ $ttl -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing DNSKEY lookup via CNAME ($n)" ret=0 -$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ +dig_with_opts +noauth cnameandkey.secure.example. \ @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ +dig_with_opts +noauth cnameandkey.secure.example. \ @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing KEY lookup at CNAME (present) ($n)" ret=0 -$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ +dig_with_opts +noauth cnameandkey.secure.example. \ @10.53.0.3 key > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ +dig_with_opts +noauth cnameandkey.secure.example. \ @10.53.0.4 key > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing KEY lookup at CNAME (not present) ($n)" ret=0 -$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ +dig_with_opts +noauth cnamenokey.secure.example. \ @10.53.0.3 key > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ +dig_with_opts +noauth cnamenokey.secure.example. \ @10.53.0.4 key > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing DNSKEY lookup via DNAME ($n)" ret=0 -$DIG $DIGOPTS a.dnameandkey.secure.example. \ +dig_with_opts a.dnameandkey.secure.example. \ @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS a.dnameandkey.secure.example. \ +dig_with_opts a.dnameandkey.secure.example. \ @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "testing KEY lookup via DNAME ($n)" ret=0 -$DIG $DIGOPTS b.dnameandkey.secure.example. \ +dig_with_opts b.dnameandkey.secure.example. \ @10.53.0.3 key > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS b.dnameandkey.secure.example. \ +dig_with_opts b.dnameandkey.secure.example. \ @10.53.0.4 key > dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that named doesn't loop when all private keys are not available ($n)" ret=0 -lines=`grep "reading private key file expiring.example" ns3/named.run | wc -l` -test ${lines:-1000} -lt 15 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +lines=$(grep -c "reading private key file expiring.example" ns3/named.run) +test "${lines:-1000}" -lt 15 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check against against missing nearest provable proof ($n)" -$DIG $DIGOPTS +norec b.c.d.optout-tld. \ +dig_with_opts +norec b.c.d.optout-tld. \ @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 -nsec3=`grep "IN.NSEC3" dig.out.ds.ns6.test$n | wc -l` -[ $nsec3 -eq 2 ] || ret=1 -$DIG $DIGOPTS +norec b.c.d.optout-tld. \ +nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n) +[ "$nsec3" -eq 2 ] || ret=1 +dig_with_opts +norec b.c.d.optout-tld. \ @10.53.0.6 A > dig.out.ns6.test$n || ret=1 -nsec3=`grep "IN.NSEC3" dig.out.ns6.test$n | wc -l` -[ $nsec3 -eq 1 ] || ret=1 -$DIG $DIGOPTS optout-tld. \ +nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n) +[ "$nsec3" -eq 1 ] || ret=1 +dig_with_opts optout-tld. \ @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 -$DIG $DIGOPTS b.c.d.optout-tld. \ +dig_with_opts b.c.d.optout-tld. \ @10.53.0.4 A > dig.out.ns4.test$n || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that key id are logged when dumping the cache ($n)" ret=0 -$RNDCCMD 10.53.0.4 dumpdb 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 dumpdb 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 grep "; key id = " ns4/named_dump.db > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" # force the managed-keys zone to be written out -$RNDCCMD 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 do ret=0 @@ -2989,101 +3011,101 @@ do ret=1 sleep 1 done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check dig's +nocrypto flag ($n)" ret=0 -$DIG $DIGOPTS +norec +nocrypto DNSKEY . \ +dig_with_opts +norec +nocrypto DNSKEY . \ @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 -grep -E '256 [0-9]+ 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -grep -E 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +norec +nocrypto DS example \ +grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +dig_with_opts +norec +nocrypto DS example \ @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -grep -E 'DS.* [0-9]+ [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" ret=0 cnt=0 while : do -$DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l` -test $keys -gt 2 && break -cnt=`expr $cnt + 1` -test $cnt -gt 120 && break +dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n +keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) +test "$keys" -gt 2 && break +cnt=$((cnt+1)) +test "$cnt" -gt 120 && break sleep 1 done -test $keys -gt 2 || ret=1 -sigs=`grep RRSIG dig.out.ns3.test$n | wc -l` -sigs=`expr $sigs + 0` -n=`expr $n + 1` -test $sigs -eq 2 || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi -status=`expr $status + $ret` +test "$keys" -gt 2 || ret=1 +sigs=$(grep -c RRSIG dig.out.ns3.test$n) +n=$((n+1)) +test "$sigs" -eq 2 || ret=1 +if test "$ret" -ne 0 ; then echo_i "failed"; fi +status=$((status+ret)) echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" ret=0 -before=`$DIG axfr siginterval.example -p ${PORT} @10.53.0.3 | grep RRSIG.SOA` +before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) cp ns3/siginterval2.conf ns3/siginterval.conf -$RNDCCMD 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 0 -do -after=`$DIG axfr siginterval.example -p ${PORT} @10.53.0.3 | grep RRSIG.SOA` +rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +i=10 +while [ "$i" -ge 0 ]; do +after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) test "$before" != "$after" && break sleep 1 +i=$((i-1)) done -n=`expr $n + 1` +n=$((n+1)) if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +status=$((status+ret)) if [ -x "$PYTHON" ]; then echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" ret=0 - $RNDCCMD 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i + rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i # convert expiry date to a comma-separated list of integers python can # use as input to date(). strip leading 0s in months and days so # python3 will recognize them as integers. - $DIG +dnssec +short -p ${PORT} @10.53.0.3 soa siginterval.example > dig.out.soa.test$n - soaexpire=`awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n + soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g'` - $DIG +dnssec +short -p ${PORT} @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n - dnskeyexpire=`awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | + sed 's/ 0/ /g') + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n + dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g'` + sed 's/ 0/ /g') $PYTHON > python.out.$n <&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i sleep 3 echo_i "check insecure delegation between static-stub zones ($n)" ret=0 -$DIG $DIGOPTS ns insecure.secure.example \ +dig_with_opts ns insecure.secure.example \ @10.53.0.4 > dig.out.ns4.1.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS ns secure.example \ +dig_with_opts ns secure.example \ @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check the acceptance of seconds as inception and expiration times ($n)" ret=0 @@ -3091,396 +3113,390 @@ in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IX exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" -out=`echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//'` +out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') [ "$out" = "$exp" ] || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 -$RNDCCMD 10.53.0.3 \ +rndccmd 10.53.0.3 \ zonestatus secure.example > rndc.out.ns3.test$n # next resign node: secure.example/DNSKEY -name=`awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's;/; ;'` +qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') +qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') # next resign time: Thu, 24 Apr 2014 10:38:16 GMT -time=`awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; +time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06"; m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} - /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g'` -$DIG $DIGOPTS +noall +answer $name @10.53.0.3 > dig.out.test$n -expire=`awk '$4 == "RRSIG" { print $9 }' dig.out.test$n` -inception=`awk '$4 == "RRSIG" { print $10 }' dig.out.test$n` + /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') +dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n +expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) +inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) $PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that split rrsigs are handled ($n)" ret=0 -$DIG $DIGOPTS split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" ret=0 alg=1 -until test $alg = 256 +until test $alg -eq 256 do - size= - case $alg in - 1) # RSA/MD5 - size="-b 1024";; + case $alg in 2) # Diffie Helman - alg=`expr $alg + 1` - continue;; - 5) # RSA/SHA-1 - size="-b 1024";; - 7) # RSASHA1-NSEC3-SHA1 - size="-b 1024";; - 8) # RSA/SHA-256 - size="-b 1024";; - 10) # RSA/SHA-512 - size="-b 1024";; + alg=$((alg+1)) + continue;; 157|160|161|162|163|164|165) # private - non standard - alg=`expr $alg + 1` - continue;; - esac - key1=`$KEYGEN -a $alg $size -n zone example 2> keygen.err` - if grep "unsupported algorithm" keygen.err > /dev/null - then - alg=`expr $alg + 1` - continue - fi - if test -z "$key1" - then - echo_i "'$KEYGEN -a $alg': failed" - cat keygen.err - ret=1 - alg=`expr $alg + 1` - continue - fi - $SETTIME -I now+4d $key1.private > /dev/null - key2=`$KEYGEN -v 10 -i 3d -S $key1.private 2> /dev/null` - test -f $key2.key -a -f $key2.private || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=`expr $alg + 1` + alg=$((alg+1)) + continue;; + 1|5|7|8|10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err) + ;; + *) + key1=$($KEYGEN -a "$alg" -n zone example 2> keygen.err) + esac + if grep "unsupported algorithm" keygen.err > /dev/null + then + alg=$((alg+1)) + continue + fi + if test -z "$key1" + then + echo_i "'$KEYGEN -a $alg': failed" + cat keygen.err + ret=1 + alg=$((alg+1)) + continue + fi + $SETTIME -I now+4d "$key1.private" > /dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg+1)) done -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" ret=0 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a lone non matching CDS record is rejected ($n)" ret=0 ( echo zone cds-update.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cds-update.secure CDS -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | $DSFROMKEY -C -A -f - -T 1 cds-update.secure | sed "s/^/update add /" echo send ) | $NSUPDATE > nsupdate.out.test$n 2>&1 grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n -lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-10} -eq 0 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "${lines:-10}" -eq 0 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" ret=0 ( echo zone cds-update.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cds-update.secure CDS echo send -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | grep "DNSKEY.257" | $DSFROMKEY -C -f - -T 1 cds-update.secure | sed "s/^/update add /" echo send ) | $NSUPDATE -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDS records are signed only using KSK when added by" echo_i " nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 ( echo zone cds-kskonly.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cds-kskonly.secure CDS echo send -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | grep "DNSKEY.257" | $DSFROMKEY -C -f - -T 1 cds-kskonly.secure | sed "s/^/update add /" echo send ) | $NSUPDATE -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 1 || ret=1 -lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" ret=0 ( echo zone cds-update.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cds-update.secure CDS echo send -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | grep "DNSKEY.257" | $DSFROMKEY -C -f - -T 1 cds-update.secure | sed "s/^/update add /" -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | $DSFROMKEY -C -A -f - -T 1 cds-update.secure | sed "s/^/update add /" echo send ) | $NSUPDATE -$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 4 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 4 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" ret=0 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" ret=0 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" ret=0 ( echo zone cdnskey-update.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cdnskey-update.secure CDNSKEY echo send -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' echo send ) | $NSUPDATE > nsupdate.out.test$n 2>&1 grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n -lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-10} -eq 0 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "${lines:-10}" -eq 0 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" ret=0 -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n -$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" ret=0 ( echo zone cdnskey-update.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cdnskey-update.secure CDNSKEY -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' echo send ) | $NSUPDATE -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that CDNSKEY records are signed only using KSK when added by" echo_i " nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 ( echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cdnskey-kskonly.secure CDNSKEY -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' echo send ) | $NSUPDATE -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 1 || ret=1 -lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "checking initialization with a revoked managed key ($n)" ret=0 copy_setports ns5/named2.conf.in ns5/named.conf -$RNDCCMD 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i +rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i sleep 3 -$DIG $DIGOPTS +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n +dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( echo zone cdnskey-update.secure -echo server 10.53.0.2 ${PORT} +echo server 10.53.0.2 "$PORT" echo update delete cdnskey-update.secure CDNSKEY -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' echo send ) | $NSUPDATE -$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n -lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l` -test ${lines:-0} -eq 2 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer +cd signer || exit 1 $KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null $KEYGEN -q -a RSASHA1 -33 remove > /dev/null echo > remove.db.signed @@ -3491,21 +3507,21 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || { } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer +cd signer || exit 1 $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 ) grep "RRSIG MX" signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; } -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer +cd signer || exit 1 echo > remove.db.signed $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1 ) @@ -3514,83 +3530,83 @@ grep "RRSIG MX" signer/remove.db.signed > /dev/null || { } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer +cd signer || exit 1 $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1 ) grep "RRSIG MX" signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; } -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 -$DIG $DIGOPTS managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" ret=0 grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" ret=0 grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 -$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 3600" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Note: after this check, ns4 will not be validating any more; do not add any # further validation tests employing ns4 below this check. echo_i "check that validation defaults to off when dnssec-enable is off ($n)" ret=0 # Sanity check - validation should be enabled. -$RNDCCMD 10.53.0.4 validation status | grep "enabled" > /dev/null || ret=1 +rndccmd 10.53.0.4 validation status | grep "enabled" > /dev/null || ret=1 # Set "dnssec-enable" to "no" and reconfigure. copy_setports ns4/named5.conf.in ns4/named.conf -$RNDCCMD 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i # Check validation status again. -$RNDCCMD 10.53.0.4 validation status | grep "disabled" > /dev/null || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +rndccmd 10.53.0.4 validation status | grep "disabled" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/util/copyrights b/util/copyrights index 45bf7c0e998..480d939f41b 100644 --- a/util/copyrights +++ b/util/copyrights @@ -535,7 +535,6 @@ ./bin/tests/system/dnssec/ns3/sign.sh SH 2000,2001,2002,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018 ./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018 ./bin/tests/system/dnssec/ns5/sign.sh SH 2015,2016,2017,2018 -./bin/tests/system/dnssec/ns5/trusted.conf.bad X 2000,2001,2004,2007,2016,2018 ./bin/tests/system/dnssec/ns6/named.args X 2013,2014,2016,2018 ./bin/tests/system/dnssec/ns6/sign.sh SH 2013,2014,2016,2017,2018 ./bin/tests/system/dnssec/ns7/named.nosoa TXT.BRIEF 2010,2016,2018